<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
<meta name="keywords" content="SecuLution online documentation, web online help, web help" />
<meta http-equiv="Content-Style-Type" content="text/css" />
<link rel=stylesheet href="default.css" type="text/css" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

 <TITLE>SecuLution Dokumentation - Audit</TITLE>
<STYLE type="text/css">
.t0i { font-family: Tahoma, Verdana; font-size: 11px; color: #000000; text-decoration: none } 
  .i0tab { border: 0; border-collapse: collapse; }
  .i0ind { border: 0; Height: 16px }
</STYLE>
</HEAD>
<BODY bgcolor="white" style="margin: 0; border: none; padding: 0px">
<!-- !chm2web! -->
   
<TABLE bgcolor="white" width="100%" border="0" cellpadding="3">
 <TR>
  <TD align="left" width="100" nowrap>
   <a href="http://www.seculution.com" target="_top">Home</a> &nbsp;&nbsp;
  </TD>
  <TD align="center"  nowrap>
   <b><font size="3pt" color="black">SecuLution Dokumentation</font></b>
  </TD>
  <TD align="right" width="120" nowrap>
   <a href="check_deployment.htm">back</a>
   <a href="dragndrop.htm">next</a>
  </TD>
 </TR>
</TABLE>
<TABLE width="100%" border="1" cellpadding="5">
<TR valign="top">
  <TD width="200" bgcolor="white" nowrap><table class="i0tab"><tr class="t0i">
  <td width="15" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="welcome.htm" ><span      >Welcome</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="15" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="principle.htm" ><span      >SecuLution technique and terminology</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="15" valign="top" align="right" nowrap>
<img class="i0ind" src="files/1.gif" alt=""></td><td align=left>
<b>Quick start</b></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="30" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="quickstart_test_setup.htm" ><span      >Test setup in 30 minutes</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="30" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="best_practice_everyday.htm" ><span      >Best practice in everyday use</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="30" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="quickstart_full_setup.htm" ><span      >Full setup and deployment in 5 hours</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="15" valign="top" align="right" nowrap>
<img class="i0ind" src="files/1.gif" alt=""></td><td align=left>
<b>Installation of components</b></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="30" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="server_appliance_installation.htm" ><span      >Install Appliance</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="30" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="adminwizard_installation.htm" ><span      >AdminWizard installation</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="30" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="agent_installation.htm" ><span      >Agent installation</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="30" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="syslog_server_installation.htm" ><span       >Syslog server installation</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="15" valign="top" align="right" nowrap>
<img class="i0ind" src="files/1.gif" alt=""></td><td align=left>
<b>Initial configuration tasks</b></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="30" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="configure_basic_settings.htm" ><span       >Configure basic settings</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="30" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="configuration_agent.htm" ><span       >Agent configuration</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="30" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="schedule_tasks.htm" ><span       >Configure automated tasks</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="15" valign="top" align="right" nowrap>
<img class="i0ind" src="files/1.gif" alt=""></td><td align=left>
<b>Manage whitelist</b></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="30" valign="top" align="right" nowrap>
<img class="i0ind" src="files/1.gif" alt=""></td><td align=left>
<b>Initial whitelist generation</b></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="45" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="import_trusted_applications.htm" ><span       >Import trustworthy software</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="45" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="lernmode.htm" ><span       >Learn mode</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="45" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="check_deployment.htm" ><span       >Check deployment and learning progress</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="45" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="audit.htm" ><span class="chitemsel" >Audit</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="30" valign="top" align="right" nowrap>
<img class="i0ind" src="files/1.gif" alt=""></td><td align=left>
<b>Add entries to whitelist</b></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="45" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="dragndrop.htm" ><span       >Drag'n'drop</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="45" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="individual_lernmode.htm" ><span       >Individual lernmode</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="45" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="import_from_directory.htm" ><span       >Import from directory</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="45" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="plu.htm" ><span       >PermanentLernUser</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="45" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="log_alarms.htm" ><span       >Log alarms</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="30" valign="top" align="right" nowrap>
<img class="i0ind" src="files/1.gif" alt=""></td><td align=left>
<b>Cleanup whitelist</b></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="45" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="manually_delete_orphaned.htm" ><span       >Manually delete unused entries</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="45" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="delete_from_pattern.htm" ><span       >Delete entries using a pattern</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="45" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="ruleset.htm" ><span       >Clean up classifications</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="30" valign="top" align="right" nowrap>
<img class="i0ind" src="files/1.gif" alt=""></td><td align=left>
<b>Actions</b></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="45" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="actions.htm" ><span       >Actions</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="45" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="valid_for.htm" ><span       >Referring rules to objects</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="15" valign="top" align="right" nowrap>
<img class="i0ind" src="files/1.gif" alt=""></td><td align=left>
<b>Offline mode</b></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="30" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="offline_mode.htm" ><span       >Offline mode</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="15" valign="top" align="right" nowrap>
<img class="i0ind" src="files/1.gif" alt=""></td><td align=left>
<b>Devices</b></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="30" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="usb_device_management.htm" ><span       >USB device management</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="30" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="usb_device_encryption.htm" ><span       >USB device encryption</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="15" valign="top" align="right" nowrap>
<img class="i0ind" src="files/1.gif" alt=""></td><td align=left>
<b>RCM</b></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="30" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="setup_rcm.htm" ><span       >Agent deployment (RemoteClientManagement)</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="15" valign="top" align="right" nowrap>
<img class="i0ind" src="files/1.gif" alt=""></td><td align=left>
<b>ArpWatch</b></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="30" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="arpwatch.htm" ><span       >ArpWatch</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="15" valign="top" align="right" nowrap>
<img class="i0ind" src="files/1.gif" alt=""></td><td align=left>
<b>Logs</b></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="30" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="logs.htm" ><span       >Logs</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="15" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="faq.htm" ><span       >FAQ</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="15" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="setup.ini.htm" ><span       >setup.ini</span></a></td>
</tr></table></TD>
  <TD bgcolor="white">
  
<head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
</head>
<h1>Audit</h1>

<ul>
<li><a href="#classification">Sort rules by classification</a>
</li>

<li><a href="#devices">Classify devices</a>
</li>

<li><a href="#software">Audit software</a>
</li>

<li><a href="#ssdb">SecuLution Managed Whitelist</a>
</li>
</ul>

<hr>

<h4><a id="classification" name="classification"></a>Sort rules by
classification</h4>

<p>If you followed the "best practice" chapter, you have been
adding hashes to your whitelist in two steps:</p>

<p>1. Import trustworthy software from sample computers and other
sources using certain classification strings (e.g. "sample
computers;Windows8;x64;SP1").</p>

<p>2. Add any software that is running on computers in your network
that differ from what you imported in step 1 in learn mode, using a
different classification string (e.g. "added in learn mode").</p>

<p>At this point you only know that all imported hashes from step
one are trustworthy. However it's quite likely that users, even if
they don't have administrative rights, have been using software
that you don't want or that might even be malware. Therefore we
should manually audit these learned programs by auditing the
learned hashes. To minimize the work, we can now audit only those
hashes which have been learned in learn mode. Select <strong>View
&gt; Rules &gt; by Classification</strong> from the menu (or press
keys CTRL-4, or select the fourth radio button above the rules
treeview):</p>
<img alt="menuView" src="i/000713.png"><br>
<br>
Let's assume you have imported trustworthy software (step one)
using classification strings like "sample
computers;Windows8;x64;SP1" and added additional software in learn
mode using the classification string "added in learn mode". Then
your whitelist will look like this:<br>
<br>
<img title="Ruleset1" alt="Ruleset1" src="i/000716.png"><br>
<br>
Now double-click "sample computers":<br>
<img title="open1" alt="open1" src="i/000717.png"><br>
As you can see, you will find all the hashes you imported from your
sample computers and other sources that you found to be trustworthy
in step one. There's no need to look through these hashes. We can
completely ignore these hashes, no matter how many there are.<br>
<br>
Let's open the classification "added in learn mode":<br>
<img title="lern1" alt="lern1" src="i/000718.png"><br>
This is the software and hardware that we need to audit. Continue
with <a href="#devices">device classification</a>.<br>
<br>

<hr>

<h4><a id="devices" name="devices"></a>Classify devices</h4>
First, let's classify all devices. Select <strong>View &gt; Rules
&gt; by Path</strong> from the menu (or press keys CTRL-2, or
select the second radio button above the rules treeview):<br>
<img alt="" src="i/001017.png"><br>
<br>
You'll find the group "device":<br>
<img alt="" src="i/001018.png"><br>
<br>
Select all devices by double-clicking "devices", selecting the
first entry, hold down the <em>SHIFT-</em>key and click on the last
entry:<br>
<img alt="" src="i/001019.png"><br>
<br>
Then right-click, select "change classification", and enter
"Devices".<br>
<img alt="" src="i/001020.png"><br>
<br>
Do these steps with the sub folders as well.<br>
<br>
Select <strong>View &gt; Rules &gt; by Classification</strong> from
the menu (or press keys CTRL-4, or select the fourth radio button
above the rules treeview):<br>
<br>
<img title="dev" alt="dev" src="i/000722.png"><br>
<br>
You can classify devices the same way you can classify software,
using semicolon as the separator:<br>
<img title="cl5" alt="cl5" src="i/000723.png"><br>
You can at any time delete hashes that represent devices from the
whitelist. Devices that have been deleted from your whitelist will
not be usable after the user disconnects and reconnects the device,
reboots their computer, or selects "recheck devices" from the
Agent's icon.<br>
<br>

<hr>

<h4><a id="software" name="software"></a>Audit software</h4>
Next we need to look through the hashes that represent software
that was added in learn mode. Until today, the main component of
your endpoint security solution was probably an antivirus product,
which reported that during the last scan no malware was found in
your network. But is that really true?<br>
<br>
Let's go through the list, one by one, and find out if you really
want to approve all the software that's being used in your network.
To find out if a particular hash is really trustworthy, we've got
some indications that we can use:<br>
<br>
<img alt="" src="i/000724.png"><br>
<br>
Path:
<div style="margin-left: 40px;">In this example, the program
"1033dotnetfx.exe" was started from
"g:\alle-lesen\cad\install-agievision\", which in this case is a
mapped network drive of a UNC path on a server where only
administrators have write access. There is strong evidence that
this is a good program, since it must have been written to this
path by an administrator. You know your paths. You will recognize
where software is coming from.</div>
Filename:<br>

<div style="margin-left: 40px;">The filename "1033dotnetfx.exe" is
a hint but since unwanted software can have any name, this is not
proof that "1033dotnetfx.exe" is really what it claims to be.</div>
<br>
Hash:<br>

<div style="margin-left: 40px;">The hash
"52456ac39bbb4640930d155c15160556" is a reliable key to find out if
this is good or bad software. Right-click on the hash.

<ul>
<li>"Google search". In this case Google will immediately show
about 1.000 pages that contain this hash, most of them telling you
that this is DotNet 1.1. This is still not 100% proof, but it's
very unlikely now that the program is actually something different
than what it claims to be.</li>

<li>"Open file properties". You can show the files properties and
look for digital signatures. However, this works by accessing the
admin-share of the host where the program was started from and
accesses the file live. In case the computer is unavailable (off)
or the admin-share is closed, file properties will be
unavailable.</li>

<li>"Check program online". This is an online service called
<a href="#ssdb">Managed Whitelist</a> we (SecuLution) offer to our
customers. Based on the results of a large number of antivirus
tools and about a dozen other resources, we can give an estimation
of how secure this software probably is.</li>
</ul></div>

<p>In this particular case, this is really Microsoft's installer
for DotNet Framework 1.1, which we will regard as trustworthy. So
we should reclassify this program by changing the classification
string from "added in learn mode" to for example
"Software;MS;DotNet;Installer;1.1".</p>
<img title="dn" alt="dn" src="i/000725.png"><br>
<br>
You should now continue to audit and reclassify or delete all
software that was "added in learn mode".<br>
<br>
A few hints:<br>
<span style="font-style: italic;">I don't know this software! Is
this malware?</span><br>
Don't panic. Potentially malicious or unwanted software may have
already been running for ages now without anyone noticing. Yes, you
should take care of that as soon as possible, but no need to panic
now! You can assign a special classification to everything that
you're not sure about, so that you will be able to take a closer
look at that as soon as you have the time. As soon as you turn off
the learn mode, SecuLution makes sure that your network security
cannot be further compromised, even if you couldn't audit all
software immediately.<br>
<br>
<span style="font-style: italic;">I found something that I
definitely don't want!</span><br>
Remove obvious unwanted software immediately by clicking on "delete
entry". Users will get used to not being able to run their favorite
games anymore, so there's probably no need to call them and
complain about their misuse!<br>
<br>
<img title="ab" alt="ab" src="i/000726.png"><br>
<br>
<span style="font-style: italic;">I found a dozen versions of the
same software!</span><br>
You will probably find software that exists in various versions.
This happens when there hasn't been much effort put into updating
installed software. The various hashes usually each represent an
individual version of a product. There's even one more version of
that software, namely the one that was installed on the sample
computer from which you imported trustworthy software, which
doesn't show up here because it's already classified as
trustworthy! Assuming that your sample computer had the latest
version of all tools installed, this means that all the other
hashes in this list are mostly outdated and probably have known
security issues!<br>
<br>
<img alt="" src="i/000727.png"><br>
Take a step back and think again about what you found here: In your
network there were various software products that had security
issues which you were not aware of! Now that has changed! Don't
reclassify them here, but instead make sure you update all outdated
and insecure versions and then delete the entries here so that they
cannot be used anymore! This way SecuLution offers an easy way of
keeping track of all the versions of all software that is running
in your network. It may be a bit of work to get to that point, but
you should not blame SecuLution for that, this important work must
be done to keep your software versions updated.<br>
<br>
<span style="font-style: italic;">But how do I know on which
computers the software is being used?</span><br>
You can change the loglevel that's being triggered every time a
program is started. If you want to know where this old version of
Adobe Reader is being used, just edit the "Allow" rule of that
program and set the loglevel to for example "5":<br>
<img alt="" src="i/000739.png"><br>
<br>
Loglevel 5 is greater than the threshold you configured for
logging, so from now on you'll find entries in the logs which tell
you which computer started this. Update those computers. Then
delete this program from your whitelist.<br>
<br>
<br>

<hr>
<br>

<h4><a id="ssdb" name="ssdb"></a>SecuLution Managed Whitelist</h4>

<p>You can request additional information from an online webservice
called "Managed Whitelist". Clicking on "Check program online"
shows information about this program based on more than 50
different antivirus tools, and a huge list of trusted applications
which the manufacturer Seculution GmbH manages and updates on a
daily basis.</p>

<p><img title="virusfound" alt="virusfound" src="i/000668.png">
</p>

<p>Of course the Managed Whitelist cannot have information about
any and all programs. But you'll still get valuable information
like:</p>

<ul>
<li>Did any antivirus product classify this software as malware?
(e.g. program is a known backdoor software)</li>

<li>Are there other users using this software as well? (e.g.
program is the very latest version of your favorite editor)</li>

<li>Is this known and trustworthy software? (e.g. program is from
Windows installation media)</li>
</ul>

<p>Currently SecuLution's Managed Whitelist cannot automatically
audit your whitelist since it's your whitelist, your network and
your decision whether you want to allow certain software or not.
But SecuLution's Managed Whitelist can help you make the right
decision.</p>

<p><br>
</p>
  </TD>
</TR>
</TABLE>
</BODY>
</HTML>
